Why Businesses Need Security Awareness Training

If you’re a business, you might think you don’t need to educate your end users about cyberattacks, compliance issues, and other risks they face online. If you’re an MSP, maybe you have clients who don’t yet see the value of security awareness training.

Either way, here are some facts that will help build a strong case. Need help making that case to someone else? Download our Security Awareness Training PowerPoint presentation.

Let's Start with the Facts

Many businesses think they’re too small to be a target, or that their end users already know how to avoid phishing. But every business is a target, and cyberattacks are expensive enough that a single breach could be disastrous. When you understand the real-world risks and statistics around actual end user behavior, the importance of training is pretty undeniable.

Here are 6 reasons why security awareness training is crucial for businesses.

1. If you think your end users know better… they probably don’t.

Hackers use social engineering attacks to take advantage of end users’ curiosity, trust, fear, negligence, and greed to drop malware on business networks. More importantly, 49% of employees admit they click links in messages from unknown senders while at work.1 When you consider that 1 in 50 URLs is malicious2, businesses really can’t afford to have half their workforce taking these kinds of risks.

2. The average person has terrible online habits.

Of workers who are certain their personal information has been compromised in a cyberattack, more than one-third didn’t even bother to change their account passwords afterward!1 In fact, 67% of workers worldwide are certain they have received at least one phishing email at work. Of those, nearly 40% didn’t report it to anyone, let alone their company’s IT or security teams.1 Ouch.

3. The threats just keep on coming, and phishing isn’t going away.

According to the 2019 Verizon Data Breach Investigations Report, most breaches involve phishing and the use of stolen credentials.3 Because phishing continues to be such a successful method for breaching business networks, cybercriminals are going to keep using it. And they’re getting better at looking convincing; nearly 1 in 3 phishing sites use HTTPS to give page visitors a false sense of security.2

4. Criminals often target small businesses BECAUSE they are small.

Hackers are banking on small and medium-sized businesses (SMBs) believing they won’t be targeted due to their size. The bad guys also know that, while SMBs can hold a fair amount of private and financial data, they are significantly less likely to have the resources to invest in comprehensive security programs. Not only that, but because a single small business could have connections to other, larger companies, they may be targeted simply so that criminals can gain access to systems belonging to “bigger fish”.

5. Many businesses are subject to compliance regulations that require training.

If a business operates in healthcare, finance, retail, insurance, or energy, these industries typically require end user awareness training at least annually. Basically, if a company takes credit card payments or wire transfers for any reason; or stores customers’ personal data (SSNs, account numbers, payment card data, etc.) for any length of time; then it’s critical for them to look into the applicable compliance and/or cybersecurity regulations ASAP. The fines for non-compliance can be painfully high. Why risk that?

6. When you consider the costs of a breach, training has pretty significant ROI.

Did you know the average total cost of a data breach is now up to $3.92 million?4 Or that 90% of the malware businesses encounter is delivered via email?3 If you could stop employees from falling victim to phishing and email malware, you’d do it, wouldn’t you? Well, the results of training speak for themselves. After 12 months of ongoing phishing simulations and security awareness training courses, end users are 70% less likely to click through on a phishing message.5 When you consider all these numbers together, it’s pretty clear that training can save you a lot of time and headache—not to mention money.


Webroot Inc. “Hook, Line, and Sinker: Why Phishing Attacks Work.” (September 2019)

Webroot Inc. “2019 Webroot Threat Report: Mid-Year Update.” (September 2019)

Verizon. “2019 Data Breach Investigations Report.” (May 2019)

IBM. “2019 Cost of a Data Breach Report.” (July 2019)

Webroot Inc. “2019 Webroot Threat Report.” (February 2019)

Read about the Webroot solution for business security awareness training

Webroot Can Help

Start a free 30-day,no-risk, no-software-conflict trial today to see the Webroot difference for yourself. Have other questions on implementing MSP-friendly security awareness training? Ask away.